1f28d9c1156ed51daa3b0a0c2e29d8a8a487213bc315b25b209aebb2a6d276d7

Resubmissions

28/03/2024, 17:00

240328-vjge6sca89 3

28/03/2024, 16:59

240328-vhkq7sbb7x 3

28/03/2024, 16:56

240328-vf6wnabb4y 3

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spotify.exe
Size

1.8MB
MD5

d14412f37ddcfb79a8459c9cffe61141
SHA1

c8e3e9db1075225f04aa1f1c78af82933a7aefbe
SHA256

1f28d9c1156ed51daa3b0a0c2e29d8a8a487213bc315b25b209aebb2a6d276d7
SHA512

6f3eb853c74496d2f0ea2b8bc3a5db582b6d82e6a805b92205c6a0e8abd88c60b405ff43cd70eda32517a55c760e311684b81c25a48ef49fb9b972ee50a47ad8
SSDEEP

24576:eSPMKv6qBxfcremN3ORRkyUV3mrvO3coz1hQiZKHT10OOfnFZ/XDe1n7Ji9:eSEC6qBng3tyfmco5mHnynFZ9

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4860	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	taskmgr.exe
Token: SeSystemProfilePrivilege	4860	taskmgr.exe
Token: SeCreateGlobalPrivilege	4860	taskmgr.exe
Token: SeBackupPrivilege	4444	svchost.exe
Token: SeRestorePrivilege	4444	svchost.exe
Token: SeSecurityPrivilege	4444	svchost.exe
Token: SeTakeOwnershipPrivilege	4444	svchost.exe
Token: 35	4444	svchost.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
1548	firefox.exe
4860	taskmgr.exe
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
1548	firefox.exe
4860	taskmgr.exe
1548	firefox.exe
1548	firefox.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe
4860	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	firefox.exe
1548	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1772 wrote to memory of 1548	1772	firefox.exe	104
PID 1548 wrote to memory of 4292	1548	firefox.exe	105
PID 1548 wrote to memory of 4292	1548	firefox.exe	105
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 2560	1548	firefox.exe	106
PID 1548 wrote to memory of 1324	1548	firefox.exe	107
PID 1548 wrote to memory of 1324	1548	firefox.exe	107
PID 1548 wrote to memory of 1324	1548	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spotify.exe
"C:\Users\Admin\AppData\Local\Temp\spotify.exe"
1⤵
PID:3372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.1919418131\204943896" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {445eee84-ba7a-472c-a231-75d7f2f2dd5c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1976 1f341004e58 gpu
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.1410456534\942835688" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d36bc88-e35a-4cd3-a7d6-e4826a5f5a31} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2380 1f333572858 socket
    3⤵
    PID:2560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.1893063158\233027232" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dc4efb8-66f5-434a-be8d-e057a9c35215} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3144 1f343e9dd58 tab
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.285038230\1392531500" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2c9480-dd0b-4b08-bd45-3a737b705be6} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3568 1f333561f58 tab
    3⤵
    PID:4208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.1246045982\91391333" -childID 3 -isForBrowser -prefsHandle 4228 -prefMapHandle 4304 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea283ff2-3874-4e06-bf67-0bec16f0b724} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4312 1f3451f8f58 tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.737514924\729961684" -childID 4 -isForBrowser -prefsHandle 4988 -prefMapHandle 5016 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25a10a2a-3a4d-414b-bf09-78a099c4e457} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5020 1f346320158 tab
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.190673295\1254698422" -childID 5 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb1050f-7333-4692-93aa-335d5cc0f8cb} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5132 1f346320d58 tab
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.1900657312\1630216388" -childID 6 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa74b47f-76bf-47fb-a1af-81eaae6353c1} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5324 1f346321358 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.8.1264098521\1140594531" -childID 7 -isForBrowser -prefsHandle 5188 -prefMapHandle 5204 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7411e901-c75a-4c5e-a3b1-dea183ce5ac5} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5180 1f34007c158 tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.9.100731269\833990643" -childID 8 -isForBrowser -prefsHandle 5088 -prefMapHandle 5100 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60909f95-b5d8-4d41-810e-19d9615aafeb} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5192 1f340061b58 tab
    3⤵
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\doomed\8276

Filesize
8KB

MD5
ff18c56332196b29f113fd7b285626b5

SHA1
60be8c76b19dcfd2102e7be27053dcb881ffa468

SHA256
5be34c635e464e7ed70290d337da5800363d5fc304905ce999bb50c18f355a06

SHA512
a9f8167481b0191498bb1018fbfb11e948da4763eb1b7c39ee516fd02ef3419abd0ab34ae369a614804ad5f9f44a225d53c75dd31cfc87bc7a9c7761f5652bd5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\entries\DE23CF9E01AA6278843163311B343B07086E02FC

Filesize
207KB

MD5
c5a25c0de3e4f95c71ed83050da612b7

SHA1
2b165302f841de3f91807b8010aab299b1629229

SHA256
9d74520095ca1184e577c10390e82a98476c98ff592f827224797dd81a5f14c6

SHA512
b75c514aa638ed6c167b0922bb2fd1e733d54d535df69cf0b8cdc55b8938b9846c1a63c69319ee29e714c3828f14d0a7afe1f4b6bb8dbea3656624c0e377f1ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d3532aedee59e7022e4adcbb4c14bd99

SHA1
b4c6b00dff63d86063b3193ea048c9978f718c05

SHA256
6d1109d55e04d1e409e647d7df1dafe46eb474d8c000f0df922d73e652984e31

SHA512
436c18ec1d052119886b4ef949ee6d487d5c39b6364cea0b92aa4ce2080c9077e61f8361ceefdf13b49e22cffdb402b93eb0e59396b12c4337052c91917e10c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\41a3204a-3201-448f-af30-3f976ea6c20a

Filesize
11KB

MD5
853d09ddcd5630549722baf0b5e976da

SHA1
8c738dacc98d0d02ecf071819e8496d9d1deca45

SHA256
54873567b9273353e7d47a13a6253339b0827468c6ce92d96b35093a05043990

SHA512
3a3a3b61fc389f5ceafa0616706c6633cbde59a54694e648be79063383ee2b636244f6f520b00b8050f4d959a0b3a50e470bb2af3f716e431fdaab4095101d41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\a2738ce2-a9a7-4305-8e2a-ce342cbe5926

Filesize
746B

MD5
bbc2839e76496f1b980ba085c6f1b1c1

SHA1
0b22fa36c54222cd0c4edd48b0c4253fd33b6202

SHA256
fcec92e208c15a1368bf139774f66ef36aa7395bb0ca8f3e0e46c55c144c2cb7

SHA512
9c047826af2c0f8ab6686713090839bec4666db385ad2c59ca168de752f73b79340a61e42cfb37a98ccf1bcd816fd4cc38a157605c774aa6bb46240e0fbee19d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
a741686fff86562507a8836674e45137

SHA1
5e6468eb99cf941f6517be1db3544a434039b76a

SHA256
a89e39a2efa10364b2116a6a0f79f9be99fc7c7905e6ab5c654305c294029509

SHA512
99493f668c880cdadbddf4d65c82f99645ed3a6a6ff3ee3685fee8e446825358f0877d42914798a405f0379fa8e7edead7ac922311a924c8d0cbb2cec3077b3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
6de2fdabcdac9c3e530f3a89f7cbd09d

SHA1
f19e578bf4361df97794eabbb5edc88dc87ce405

SHA256
986b83bebf9129aeea01c73526d36053c08f8b23f644491efca0c75add0bd6a6

SHA512
881167eff624db829da97da100d4c9770653d7726ea833d998e388b8777810e2c0993ceca4c28c6829f9388d9e0e93aefac987a6892e511b1c3ccd50ac27a2ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
8ecddc523d983b80684b2cb8c8d72176

SHA1
07b6fd46eb61472e018309d481cc3f9312b39f1a

SHA256
4a3b85db58bf150149de6214fc003ef80ed52fbaf973e4ac2a98973ea226c69e

SHA512
16ad1699e5e9f91f72d0f83d3d1ffec37490cc96e19fe3404e3f7b2324b9951897526203824b928e1affb6a19ec3c40c7eccedb02d44a4d7f694e6c5d568063e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
6dde292efe11cb4ad8b605985ac2e248

SHA1
d90703f75d3a1b881f4c060db0df37b68906931d

SHA256
5ebdb62c01648719bebe0ffead9858437420798f9e5db11b3219183029f7cd05

SHA512
28c3edf0e172b5c491673d633853cf42760198e574c9f653f291712434709e6abae98527a316ce2c52553733f7686b2c5925b632b4539161ce281c0814f3e228

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
019ad0c9cec2dfbaad1769d4e6e9ae0a

SHA1
20389b425c115dfb334d970c9b41b46bf6e0abca

SHA256
0967e48d3366a25da65b3cddf47afc5c799affc277af0ddce1b6fe8c0afeea6a

SHA512
26c031367bd489e95a7abb49f72cd205be3f15b40af41f02ec0b5847c99b42c8b0f21a8d9d57c1024390dbcb964cfd23d13294eaabba171e9798210bf6c9b02a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
8b52fd99bd2411362b15cc69a2e6810b

SHA1
636dd180f66e885d6ed0a2b70bebef0fd66a8304

SHA256
67d98d2944a55bd77558923258168c4024bcb035e0f9d7f5ef37b7b970c904a2

SHA512
323b7f531481e1dcfb9e0f3b969399cbb6394fe0b0918d9f3998ea62e6a85c19d89d3df007582e81ba4660b7088c8e0a8230211e36f7cf7955d08e9c73d0af9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c2c99696deb08a8bb8d2d968004177f3

SHA1
33fc93db4c393090bec4c37998d9b8f513cb7ef9

SHA256
c4c19b6bce1bdd3431d404c27efb3fbf1b9ac95f5f808261ef7f36d81e136e9b

SHA512
7a95441011654e1147484a8055496e74d6000876e5ffbacf4e4fab1a71a66ecb5adc826df2feadba47900a725e19d6809aedc78f6c7bb2c995b254a4d67d0be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
811809ae150ada41dbe6786316127da8

SHA1
2342c2b3c1b9e3f7c94c68a5c672d29b07b9f66a

SHA256
ea241a36bc93a1a6e49c4bef122fd499e76157d55dfed0da35566ad4f532727a

SHA512
3c4b865371b25778427ae5ff327adbf3815a5da969e1ceff268e1006ab7ca3f8292070ae7eef506ff6b2320f81a0fcb2c87b92d45a5ab17a6076e59ac1277edb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7749ba0d8247a8c5ca65097cf4b1c283

SHA1
83a5fd4379f10f6612bee87df5caab85a857d120

SHA256
9d42afcef1ae5f8ddd2d5dcb30c4c0b932b080beb46c9be9a8315285cf1f9868

SHA512
250677d363ff04f50af01656964f6504f72069d3fead6419ea808f7bc0b2e55753fc6a4a5caf797c214a7195634fa84bfd5aaa692aafa13f6c7d4556a9020187

Download Submit
memory/4860-7-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-8-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-6-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-9-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-2-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-0-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-10-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-12-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-1-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download
memory/4860-11-0x000001E23E0D0000-0x000001E23E0D1000-memory.dmp

Filesize
4KB

Download